Google DKIM question as I look at email Headers

Hello all, Under the Forwarders area there is a section titled Gmail / Apps Forwarding. If I dig down into that a bit I see that one of my forwarders shows as fail-unaligned. This is for a web based project management tool we use in our business called and it does send out email on our behalf. I’ve added the proper SFP and DKIM records and they show as passing. But If you look at the attached file you’ll see in row 1 that it shows as fail-unaligned for Mail From But if you look at row 3 you’ll see that it shows as aligned for Mail From so it is aligning sometimes. Can Someone help explain to me what I’m looking at with these particular records and why things may vary like this? I see that the DKIM selector varies so maybe workamajig is stripping the DKIM info out of the header therefor its failing alignment now?

Thanks in advance

Hi Ryan,

In the detail viewer, ensure all columns are visible.


The purpose of this is to look at the override reason and override comment columns. If we see “local ppolicy” and “arc=pass” respectively, it means the data is truly forwarding. Meaning, emails sent from your domain to’s MX (which are google) and then it was forwarded by their servers automatically.

With Google, this is often due to Google Groups behaviour. When an email is sent to a google group, it behaves like a mailing list. There is first a DMARC check done when the email is first received by Google for the group, and then a unique DMARC check again when Google forwards the email to members of that group, even when the members of the group and the group’s own email address are all on the same domain.

Finally, I would like to confirm what you mean by aligned. Alignment is not achieved in your screenshot. Alignment is the requirement of the mail_from and DKIM signing domain (d=) being identical or a subdomain of the domain used in the from_header, depending on strict or relaxed alignment configuration.

The difference in DKIM results could be a few things,. The most common is if the original email was DKIM signed to begin with. If it was not, then the forwarder’s DKIM signature is the only one that would be evaluated by the destination server the forwarder sends to.

I hope this helps.

Sorry, I was reading the info incorrectly on the alignment. Thank you for the clarification on that point though, that was very helpful.

I checked those columns and they do show “local policy” and “arc=pass”. I confess I don’t know much about Workamajig but in reading up on it I see that businesses have the ability to create a unique mailbox at Workamajig that can be used to enhance communication and documentation within the system. Employees have the ability to forward email to this mailbox with specific variables so workamajig can route that email internally and then send out email notifications to employees who are part of that project. Sounds very much like what you were talking about with Google Groups behavior.

Thanks for taking the time to respond, it’s much appreciate.